PHP - Session - log in

I have a login html form, which logs in a user using a php script which creates a session (code below). There is an if else statement in the code that says if the login information is incorrect - then prompt the user to log in with correct information (or register - also on the same html form). Else - create the session variables for username and password - and go on to the next page (admin.php).
On the admin.php script - the first thing that i'm doing is starting the session and checking the variables - that they are set. (Code below the login script).
However - I notice that I can still access the page, even when i'm not in a session. Any ideas on how to fix this?

Also - I have a couple of other pages, where I need to set up the same deal. How can this be done on an .html page?

>> So all of my pages should be php pages if I want to validate the session, correct?

Yes.
>> With the exception of my html form page which allows the user to log in. Is that right?

Yes, any page that does NOT need to be protected can have .html extension.

if (!isset($_SESSION['username']) || $_SESSION['username']=="") {

Here you are only destroying the session if $_SESSION['username'] is NOT set or if it is blank. Remove the if() statement, execute session_unset() and session_destroy() regardless of the existence of/value of $_SESSION['username'].

That did it! I really appreciate the help!
One quick question - if i'm not in a session - i'm unable to access certain pages - it just brings me directly to the login page (via a header). How can I create a message that says (you are not logged in) - and which page does it go on - the login page? Or the page that is directing me back to the login page?

<?php
if(isset($_GET['msg']) and $_GET['msg']=='notloggedin')
echo '<p style="color:red">You need to log in before you can access this page!</p>';
?>

I inserted an "exit;" after the redirect. This is good practice, otherwise the rest of the protected page is executed before the actual redirect is executed. You used an else-clause to prevent this, this is easy to forget. When using exit the else-clause is not needed.

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…

Things That Drive Us Nuts
Have you noticed the use of the reCaptcha feature at EE and other web sites? It wants you to read and retype something that looks like this.
Insanity! It's not EE's fault - that's just the way reCaptcha works. But it i…

The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…